Skip to content
Privacy Regulations

Virginia Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act (VCDPA) introduced a major shift in U.S. privacy law when it became effective on January 1, 2023. This law establishes comprehensive privacy requirements for businesses while giving Virginia consumers significant control over their personal data.

Unlike California’s CCPA, which has been criticized for complexity, the Virginia data privacy law follows a more business-friendly model while borrowing principles from the EU’s GDPR. Below is everything your organization needs to know about consumer data protection act Virginia compliance, exemptions, and enforcement.

Looking for comparisons with other states? Explore our guides on the Colorado Privacy Act and Oregon Consumer Privacy Act.

What Is the Virginia Consumer Data Protection Act (VCDPA)?

The VCDPA is Virginia’s flagship privacy law, designed to improve transparency, accountability, and consumer control over personal information. It requires businesses that process personal data to adopt policies for access, deletion, and opt-out rights, while enforcing stricter requirements for sensitive data.

The law applies to companies doing business in Virginia or targeting Virginia residents if they process data for 100,000 or more consumers annually, or 25,000 consumers while earning at least 50% of revenue from data sales.

Full text of the law can be found on the Virginia General Assembly official page.

Virginia Consumer Data Protection Act Effective Date

The Virginia Consumer Data Protection Act effective date was January 1, 2023, making it one of the earliest comprehensive state privacy frameworks in the U.S. after California’s CCPA. Businesses that fall under the law must already be in full compliance to avoid enforcement risks.

For a detailed breakdown, see IAPP’s VCDPA resource center.

Key Obligations Under the Virginia Privacy Law

Unlike some U.S. privacy laws, VCDPA enforces explicit consent requirements, robust privacy disclosures, and data minimization principles. Companies must publish privacy notices outlining the types of data collected, processing purposes, categories of data shared, and clear instructions on how consumers can exercise their rights.

Businesses are also required to provide at least two secure methods for consumers to submit rights requests and to respond within 45 days. Sensitive data, such as health information, precise geolocation, and biometric identifiers, may only be processed with opt-in consent (source: Usercentrics).

Additionally, organizations engaging in targeted advertising, profiling, or large-scale sensitive data processing must conduct Data Protection Assessments—similar to GDPR’s DPIAs. More information is available in the VCDPA compliance guide from BakerHostetler.

What Types of Data Are Exempt From the Virginia Data Privacy Law?

While comprehensive, the Virginia privacy law regulations exclude certain categories of data to avoid duplication with federal laws. Exemptions include:

  • HIPAA-covered health data
  • GLBA financial data
  • FCRA-regulated credit reporting information
  • Data governed by FERPA and COPPA
  • Publicly available information and de-identified data

For a full list of exemptions, visit the Virginia Code §59.1-577.

Which Businesses Are Exempt From VCDPA?

Entities such as state agencies, nonprofit organizations, and institutions of higher education are excluded from the VCDPA’s scope. Small businesses that process data for fewer than 100,000 Virginia residents annually may also be exempt unless they earn a significant portion of revenue from data sales.

More details are provided in Goodwin’s VCDPA overview.

Enforcement: How Is the VCDPA Enforced?

The Virginia Attorney General has sole enforcement authority under the VCDPA. There is no private right of action, meaning consumers cannot sue businesses for violations.

  • Cure Period: Organizations have 30 days to cure violations after receiving notice from the AG.
  • Penalties: Up to $7,500 per violation, plus possible recovery of investigative costs.

Consumers can file complaints through the Virginia AG’s Consumer Protection Division.

For additional compliance insights, check JD Supra’s enforcement analysis.

How to Comply With the Virginia Consumer Data Protection Act

Compliance with VCDPA requires a multi-step strategy:

  1. Conduct Data Mapping and Risk Assessments

    Identify data flows and assess risks for profiling and targeted advertising (source: IAPP).
  2. Update Privacy Notices

    Ensure disclosures meet statutory requirements for clarity and consumer accessibility.
  3. Implement Rights Request Mechanisms

    Provide at least two secure submission options (e.g., web form, email).
  4. Obtain Consent for Sensitive Data

    Secure opt-in consent before processing sensitive categories such as race, health, or biometrics.
  5. Negotiate Data Processing Agreements

    Include specific terms for confidentiality, security, and breach notification obligations.
  6. Prepare for AG Audits

    Maintain documentation of policies and DPIAs for at least five years (source: Hunton Andrews Kurth LLP).

How VCDPA Differs From CCPA

While both laws enhance consumer privacy, the VCDPA is less burdensome for businesses in some respects:

  • No private lawsuit rights (unlike CCPA)
  • Mandatory risk assessments similar to GDPR
  • Broader definition of sensitive data
  • Simpler opt-out requirements compared to California’s complex structure

For a detailed comparison of Virginia’s and California’s privacy regimes, refer to National Law Review’s analysis.

FAQ: Virginia Consumer Data Protection Act

Does the VCDPA apply to small businesses?

Yes, if they meet thresholds of processing data for 100,000 consumers or derive over 50% revenue from data sales.

How can consumers file complaints in Virginia?

Through the Attorney General’s Consumer Protection Division.

What is considered sensitive data under the VCDPA?

Health information, racial or ethnic origin, sexual orientation, religious beliefs, precise geolocation, and biometric data.

What is the penalty for non-compliance?

Civil fines of up to $7,500 per violation, enforced by the AG.

How is the VCDPA different from the CCPA?

It has no private right of action and mandates risk assessments, offering a more predictable enforcement model.

Final Thoughts

The Virginia Consumer Data Protection Act represents a major evolution in U.S. privacy regulation, striking a balance between consumer rights and business obligations. With enforcement underway, organizations should:

  • Audit data processing activities
  • Update privacy notices and consent mechanisms
  • Perform DPIAs for high-risk operations
  • Train staff on consumer rights handling

For the official law text, visit the Virginia Code Chapter 53 and review guidance from Usercentrics.

Looking for compliance strategies across multiple states? Explore our guides on the Colorado Privacy Act and Maryland Online Data Privacy Act.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Reading this content does not create an attorney-client relationship. A qualified attorney should be consulted for guidance tailored to your organization’s situation.

NEW GEN AI

Get answers to even the most complex questions about your data and explore the complexities of your data landscape using Generative AI chat.